Who decides how much security risk to take for a specific system?
Chief Information Security Officer32%
Chief Information Officer33%
Chief Risk Officer15%
Chief Executive Officer7%
Board3%
System Owner5%
Others (Please specify)2%
1430 PARTICIPANTS
Sort By:
Oldest
Director Of Information Technology in Construction5 years ago
I believe this to be a combined effort between the system owner, CIO and Board/CEO. The system owner should always try to secure a system the best available tools, however, resources and budget might change the avaibility of this toolsCIO5 years ago
It is like asking how much insurance do you need. It really is a call by the CEO and/or the board. System owner/CIO/ciro can only recommendCIO/Project Management Office in Software5 years ago
Depends on the risk. As with expenses, anyone beyond the CEO / Board has a level of risk they are willing to take on in their role. Once that level is defined, their job is to deliver the best approach. I personally try to insulate the company from any risk where I can either solve it through negotiation in the contract, or by providing an alternative up front.
If I can’t see the way out clearly, I escalate and recommend.
CEO & Founder in Software5 years ago
It depends on the criticality of the system and the risk associated with it getting compromised. Generally, the mature organizations has some assessment matrix that helps quantify the risk and based on the severity it could be a simple decision by the CIO or a compound decision by CIO/CISO/and CEO. The end game is about risk mitigation and protecting company assets.Consultant - Data Governance and IT Security Program Manager in Finance (non-banking)5 years ago
Corporate risk aptitude is set by board. CIO sets the guidelines for risk mitigations and CISO will oversee the solution implement to mitigate risk for individual systems.